Hi all,
I'm running m0n0wall 1.2 on a WRAP 1D where the m0n0wall connects all my
machines on the LAN to the internet through NAT. I use the addresses
from 10.0.0.0/24 as the private address range and the public IP address
is assigned by my ISP through DHCP. The m0n0wall itself has the LAN
address 10.0.0.11 and my desktop is 10.0.0.57. The desktop runs only
Linux and the browser is Firefox 1.0.7. Java is enabled in the browser
but does not work, i.e. the configuration is broken.
I found several entries in the firewall logs which showed dropped
packets that were coming in via the WAN interface (ng0) and were
directed at private addresses. These entries seemed to belong to three
classes:
class 1: UDP directed to port 1434 of the public IP. Example:
-------------------------------------------------------------
15:26:54.173615 ng0 @0:6 b 10.0.0.11,3512 -> 84.147.223.17,1434 PR udp
len 20 404 IN
There was only one entry of this class and at this time all other
machines on my LAN were switched off. Theoretically this could be the
result of guessing an internal IP address but because there were no
other entries (which would indicate some sort of searching process) it
seems more likely that the sender knew what he/she/it was doing. The
question here is how would the sender be able to learn the private
address of the m0n0wall?
class 2: TCP Data packets coming from a web server. Examples:
-------------------------------------------------------------
12:36:50.437910 ng0 @0:26 b 213.189.25.134,80 -> 10.0.0.57,48206 PR tcp
len 20 1492 -AP IN
12:37:11.854757 ng0 @0:26 b 213.189.25.134,80 -> 10.0.0.57,48194 PR tcp
len 20 1492 -AP IN
class 3: TCP RST packets coming from a web server. Examples:
------------------------------------------------------------
13:48:07.680084 ng0 @0:26 b 213.209.108.155,80 -> 10.0.0.57,43246 PR tcp
len 20 40 -AR IN
22:06:00.819662 ng0 @0:26 b 213.209.108.155,80 -> 10.0.0.57,35462 PR tcp
len 20 40 -AR IN
22:11:14.330707 ng0 @0:26 b 213.209.108.157,80 -> 10.0.0.57,36744 PR tcp
len 20 40 -AR IN
BTW: The sender IP addresses for class 3 entries belong to a company
called mediavantage (www.mediavantage.de) which seems to offer some
services related to advertising. The output of ipfstat -nio can be found
below.
I know that there are ways for a web server to determine the clients
local IP address though running scripts on the client's machine. These
either seem only to work on windows or involve calling some Java
routines through JavaScript. As I'm running Linux on my desktop all the
windows specific methods won't work and due to the fact that Java does
not work in my browser I'm sure that these methods don't work either (I
even tried some sample scripts). So at the moment, unless I am infected
with some sort of malware, I am pretty sure that no application is
"leaking" the private address to the web server.
But maybe I am misinterpreting the log entries. Is it possible that the
packets of class 2 and 3 were dropped by the firewall after NAT did
replace the public receiver address with the private IP address?
In this case the packets received from the internet would not have
contained the private ID adresses.
Martin
ipfstat -nio
@1 pass out quick on lo0 from any to any
@2 pass out quick on sis0 proto udp from 10.0.0.11/32 port = 67 to any port = 68
@3 pass out quick on ng0 proto udp from any port = 68 to any port = 67
@4 pass out quick on ng0 proto udp from 84.147.248.120/32 port = 500 to any
@5 pass out quick on ng0 proto esp from 84.147.248.120/32 to any
@6 pass out quick on ng0 proto ah from 84.147.248.120/32 to any
@7 pass out quick on sis0 proto udp from 10.0.0.11/32 port = 500 to any
@8 pass out quick on sis0 proto esp from 10.0.0.11/32 to any
@9 pass out quick on sis0 proto ah from 10.0.0.11/32 to any
@10 pass out quick on sis2 proto udp from 10.0.1.11/32 port = 500 to any
@11 pass out quick on sis2 proto esp from 10.0.1.11/32 to any
@12 pass out quick on sis2 proto ah from 10.0.1.11/32 to any
@13 pass out quick on sis0 from any to any keep state
@14 pass out quick on ng0 from any to any keep state
@15 pass out quick on sis2 from any to any keep state
@16 block out log quick from any to any
@1 pass in quick on lo0 from any to any
@2 block in log quick from any to any with short
@3 block in log quick from any to any with ipopt
@4 pass in quick on sis0 proto udp from any port = 68 to 255.255.255.255/32 port = 67
@5 pass in quick on sis0 proto udp from any port = 68 to 10.0.0.11/32 port = 67
@6 block in log quick on ng0 from 10.0.0.0/24 to any
@7 block in log quick on ng0 from 10.0.1.0/24 to any
@8 block in log quick on ng0 proto udp from any port = 67 to 10.0.0.0/24 port = 68
@9 pass in quick on ng0 proto udp from any port = 67 to any port = 68
@10 block in log quick on sis0 from !10.0.0.0/24 to any
@11 block in log quick on sis2 from !10.0.1.0/24 to any
@12 block in log quick on ng0 from 10.0.0.0/8 to any
@13 block in log quick on ng0 from 127.0.0.0/8 to any
@14 block in log quick on ng0 from 172.16.0.0/12 to any
@15 block in log quick on ng0 from 192.168.0.0/16 to any
@16 pass in quick on ng0 proto udp from any to 84.147.248.120/32 port = 500
@17 pass in quick on ng0 proto esp from any to 84.147.248.120/32
@18 pass in quick on ng0 proto ah from any to 84.147.248.120/32
@19 pass in quick on sis0 proto udp from any to 10.0.0.11/32 port = 500
@20 pass in quick on sis0 proto esp from any to 10.0.0.11/32
@21 pass in quick on sis0 proto ah from any to 10.0.0.11/32
@22 pass in quick on sis2 proto udp from any to 10.0.1.11/32 port = 500
@23 pass in quick on sis2 proto esp from any to 10.0.1.11/32
@24 pass in quick on sis2 proto ah from any to 10.0.1.11/32
@25 skip 1 in proto tcp from any to any flags S/FSRA
@26 block in log quick proto tcp from any to any
@27 block in log quick on sis0 from any to any head 100
@1 pass in quick from 10.0.0.0/24 to 10.0.0.11/32 keep state group 100
@2 pass in quick from 10.0.0.0/24 to any keep state group 100
@28 block in log quick on ng0 from any to any head 200
@29 block in log quick on sis2 from any to any head 300
@1 pass in quick from 10.0.1.0/24 to 10.0.1.0/24 keep state group 300
@2 pass in quick proto tcp from 10.0.1.65/32 to 10.0.0.59/32 port = 443 keep state group 300
@30 block in log quick from any to any